Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-03-2023 02:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3afc93a38d805b014502c8aab7c12945e3469b63a79e2bfea7101cc011b578b2.exe

  • Size

    212KB

  • MD5

    776334c0e8b22c29f2d22b5f11b0af77

  • SHA1

    e6565024701a3768a6d3bedfc48fa8d5b3d6c0dd

  • SHA256

    3afc93a38d805b014502c8aab7c12945e3469b63a79e2bfea7101cc011b578b2

  • SHA512

    8ee51e32f131a35f0dfaed2b2a62f05721e08a057316bbca21df0529eec8ba1066c2c1da0a52f13cdf61da1c6979998e3c866efb0f531506d0767bc9c37ed490

  • SSDEEP

    3072:mZXkaon+lS7IhK6HBF+UeoVanoANOF8Z5KNXAbQmi:2o+lSfPDoANY8ZW8QN

Score
10/10
smokeloaderbackdoorpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/
rc4.i32
rc4.i32

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\3afc93a38d805b014502c8aab7c12945e3469b63a79e2bfea7101cc011b578b2.exe
    "C:\Users\Admin\AppData\Local\Temp\3afc93a38d805b014502c8aab7c12945e3469b63a79e2bfea7101cc011b578b2.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1100
  • C:\Users\Admin\AppData\Local\Temp\F3CB.exe
    C:\Users\Admin\AppData\Local\Temp\F3CB.exe
    1⤵
    • Executes dropped EXE
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3624
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c new.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4996
      • C:\Windows\system32\reg.exe
        REG ADD "HKLM\SOFTWARE\Policies\Google\Chrome" /v "CloudManagementEnrollmentToken" /t REG_SZ /d "d9bd6e4b-f7a3-4829-95e0-2c9bcf248048"
        3⤵
          PID:2372
    • C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      1⤵
        PID:3216
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe
        1⤵
          PID:792
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          1⤵
            PID:3388
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe
            1⤵
              PID:2348
            • C:\Windows\SysWOW64\explorer.exe
              C:\Windows\SysWOW64\explorer.exe
              1⤵
                PID:4728
              • C:\Windows\SysWOW64\explorer.exe
                C:\Windows\SysWOW64\explorer.exe
                1⤵
                  PID:468
                • C:\Windows\SysWOW64\explorer.exe
                  C:\Windows\SysWOW64\explorer.exe
                  1⤵
                    PID:2088
                  • C:\Windows\explorer.exe
                    C:\Windows\explorer.exe
                    1⤵
                      PID:2360
                    • C:\Windows\SysWOW64\explorer.exe
                      C:\Windows\SysWOW64\explorer.exe
                      1⤵
                        PID:3400

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\F3CB.exe
                        Filesize

                        151KB

                        MD5

                        b55feac472065f71921d6affc61df584

                        SHA1

                        46ec50413f2bc38fed1d6b69828208a673d2c818

                        SHA256

                        9a5ac58d9bdbe96a1bd2acd639d73fa943c2b5494eb09f4a3635e052c35e8030

                        SHA512

                        e3ad559d55f40914239946b49ed6a39ee74c6264e040714f9997324ffb3ee7937f679e62ba756945e333e0cd9774151b8cbfd71286fbf1e604a68caf4b1affa6

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\new.bat
                        Filesize

                        145B

                        MD5

                        efb41657387918c43a63deb685e2ab1d

                        SHA1

                        ef597efb37a86e33c0177f85c0c41049c128513b

                        SHA256

                        0776816e36fe9897fb0e9d916283e6a6996f0f8fb21a6b680e92e1121dbc9746

                        SHA512

                        e51469fffa92463f88e0c605bfc8a13986846bf004fe93e38a9b5a7e94982939514f8bbd48a02d86affe06f8e660b6835ede4064efb652b41f926f189bc0427b

                        Download Submit

                      • memory/468-169-0x0000000000CE0000-0x0000000000CE9000-memory.dmp

                        Filesize

                        36KB

                        Download

                      • memory/468-170-0x0000000000D00000-0x0000000000D27000-memory.dmp

                        Filesize

                        156KB

                        Download

                      • memory/468-171-0x0000000000CE0000-0x0000000000CE9000-memory.dmp

                        Filesize

                        36KB

                        Download

                      • memory/468-183-0x0000000000D00000-0x0000000000D27000-memory.dmp

                        Filesize

                        156KB

                        Download

                      • memory/792-157-0x00000000003F0000-0x00000000003FF000-memory.dmp

                        Filesize

                        60KB

                        Download

                      • memory/792-181-0x0000000000470000-0x000000000047B000-memory.dmp

                        Filesize

                        44KB

                        Download

                      • memory/792-158-0x0000000000470000-0x000000000047B000-memory.dmp

                        Filesize

                        44KB

                        Download

                      • memory/792-159-0x00000000003F0000-0x00000000003FF000-memory.dmp

                        Filesize

                        60KB

                        Download

                      • memory/1100-134-0x00000000006F0000-0x00000000006F9000-memory.dmp

                        Filesize

                        36KB

                        Download

                      • memory/1100-137-0x0000000000400000-0x0000000000452000-memory.dmp

                        Filesize

                        328KB

                        Download

                      • memory/2088-174-0x0000000000310000-0x000000000031B000-memory.dmp

                        Filesize

                        44KB

                        Download

                      • memory/2088-173-0x0000000000CE0000-0x0000000000CE9000-memory.dmp

                        Filesize

                        36KB

                        Download

                      • memory/2088-172-0x0000000000310000-0x000000000031B000-memory.dmp

                        Filesize

                        44KB

                        Download

                      • memory/2088-184-0x0000000000CE0000-0x0000000000CE9000-memory.dmp

                        Filesize

                        36KB

                        Download

                      • memory/2348-163-0x00000000005E0000-0x00000000005EC000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/2348-164-0x0000000000CB0000-0x0000000000CB9000-memory.dmp

                        Filesize

                        36KB

                        Download

                      • memory/2348-165-0x00000000005E0000-0x00000000005EC000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/2360-176-0x0000000000310000-0x000000000031B000-memory.dmp

                        Filesize

                        44KB

                        Download

                      • memory/2360-175-0x0000000000C20000-0x0000000000C2D000-memory.dmp

                        Filesize

                        52KB

                        Download

                      • memory/2360-185-0x0000000000310000-0x000000000031B000-memory.dmp

                        Filesize

                        44KB

                        Download

                      • memory/2360-177-0x0000000000C20000-0x0000000000C2D000-memory.dmp

                        Filesize

                        52KB

                        Download

                      • memory/3172-135-0x0000000002C00000-0x0000000002C16000-memory.dmp

                        Filesize

                        88KB

                        Download

                      • memory/3216-155-0x00000000006F0000-0x00000000006F9000-memory.dmp

                        Filesize

                        36KB

                        Download

                      • memory/3216-156-0x0000000000470000-0x000000000047B000-memory.dmp

                        Filesize

                        44KB

                        Download

                      • memory/3216-154-0x0000000000470000-0x000000000047B000-memory.dmp

                        Filesize

                        44KB

                        Download

                      • memory/3388-162-0x0000000000CB0000-0x0000000000CB9000-memory.dmp

                        Filesize

                        36KB

                        Download

                      • memory/3388-160-0x0000000000CB0000-0x0000000000CB9000-memory.dmp

                        Filesize

                        36KB

                        Download

                      • memory/3388-182-0x00000000003F0000-0x00000000003FF000-memory.dmp

                        Filesize

                        60KB

                        Download

                      • memory/3388-161-0x00000000003F0000-0x00000000003FF000-memory.dmp

                        Filesize

                        60KB

                        Download

                      • memory/3400-178-0x0000000000E30000-0x0000000000E3B000-memory.dmp

                        Filesize

                        44KB

                        Download

                      • memory/3400-179-0x0000000000C20000-0x0000000000C2D000-memory.dmp

                        Filesize

                        52KB

                        Download

                      • memory/3400-180-0x0000000000E30000-0x0000000000E3B000-memory.dmp

                        Filesize

                        44KB

                        Download

                      • memory/3400-186-0x0000000000C20000-0x0000000000C2D000-memory.dmp

                        Filesize

                        52KB

                        Download

                      • memory/4728-168-0x0000000000D00000-0x0000000000D27000-memory.dmp

                        Filesize

                        156KB

                        Download

                      • memory/4728-166-0x0000000000D00000-0x0000000000D27000-memory.dmp

                        Filesize

                        156KB

                        Download

                      • memory/4728-167-0x00000000005E0000-0x00000000005EC000-memory.dmp

                        Filesize

                        48KB

                        Download